PSCertificateEnrollment.psm1
|
# https://docs.microsoft.com/en-us/windows/release-information/ New-Variable -Option Constant -Name BUILD_NUMBER_WINDOWS_7 -Value 7601 New-Variable -Option Constant -Name BUILD_NUMBER_WINDOWS_8_1 -Value 9600 New-Variable -Option Constant -Name BUILD_NUMBER_WINDOWS_10 -Value 10240 # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/ne-certenroll-objectidgroupid New-Variable -Option Constant -Name ObjectIdGroupId -Value @{ XCN_CRYPT_OID_DISABLE_SEARCH_DS_FLAG = [Int]::MinValue XCN_CRYPT_ANY_GROUP_ID = 0 XCN_CRYPT_HASH_ALG_OID_GROUP_ID = 1 XCN_CRYPT_FIRST_ALG_OID_GROUP_ID = 1 XCN_CRYPT_ENCRYPT_ALG_OID_GROUP_ID = 2 XCN_CRYPT_PUBKEY_ALG_OID_GROUP_ID = 3 XCN_CRYPT_SIGN_ALG_OID_GROUP_ID = 4 XCN_CRYPT_LAST_ALG_OID_GROUP_ID = 4 XCN_CRYPT_RDN_ATTR_OID_GROUP_ID = 5 XCN_CRYPT_EXT_OR_ATTR_OID_GROUP_ID = 6 XCN_CRYPT_ENHKEY_USAGE_OID_GROUP_ID = 7 XCN_CRYPT_POLICY_OID_GROUP_ID = 8 XCN_CRYPT_TEMPLATE_OID_GROUP_ID = 9 XCN_CRYPT_KDF_OID_GROUP_ID = 10 XCN_CRYPT_LAST_OID_GROUP_ID = 10 XCN_CRYPT_OID_INFO_OID_GROUP_BIT_LEN_SHIFT = 16 XCN_CRYPT_GROUP_ID_MASK = 65535 XCN_CRYPT_OID_INFO_OID_GROUP_BIT_LEN_MASK = 268369920 XCN_CRYPT_KEY_LENGTH_MASK = 268369920 XCN_CRYPT_OID_PREFER_CNG_ALGID_FLAG = 1073741824 } # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/ne-certenroll-objectidpublickeyflags New-Variable -Option Constant -Name ObjectIdPublicKeyFlags -Value @{ XCN_CRYPT_OID_INFO_PUBKEY_ANY = 0 XCN_CRYPT_OID_INFO_PUBKEY_SIGN_KEY_FLAG = 1 XCN_CRYPT_OID_INFO_PUBKEY_ENCRYPT_KEY_FLAG = 1073741824 } # https://docs.microsoft.com/en-us/windows/win32/api/certcli/nf-certcli-icertrequest2-getcaproperty New-Variable -Option Constant -Name PropType -Value @{ PROPTYPE_LONG = 1 PROPTYPE_DATE = 2 PROPTYPE_BINARY = 3 PROPTYPE_STRING = 4 } # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379394.aspx New-Variable -Option Constant -Name X500NameFlags -Value @{ XCN_CERT_NAME_STR_NONE = 0 XCN_CERT_SIMPLE_NAME_STR = 1 XCN_CERT_OID_NAME_STR = 2 XCN_CERT_X500_NAME_STR = 3 XCN_CERT_XML_NAME_STR = 4 XCN_CERT_NAME_STR_SEMICOLON_FLAG = 0x40000000 XCN_CERT_NAME_STR_NO_PLUS_FLAG = 0x20000000 XCN_CERT_NAME_STR_NO_QUOTING_FLAG = 0x10000000 XCN_CERT_NAME_STR_CRLF_FLAG = 0x8000000 XCN_CERT_NAME_STR_COMMA_FLAG = 0x4000000 XCN_CERT_NAME_STR_REVERSE_FLAG = 0x2000000 XCN_CERT_NAME_STR_FORWARD_FLAG = 0x1000000 XCN_CERT_NAME_STR_DISABLE_IE4_UTF8_FLAG = 0x10000 XCN_CERT_NAME_STR_ENABLE_T61_UNICODE_FLAG = 0x20000 XCN_CERT_NAME_STR_ENABLE_UTF8_UNICODE_FLAG = 0x40000 XCN_CERT_NAME_STR_FORCE_UTF8_DIR_STR_FLAG = 0x80000 XCN_CERT_NAME_STR_DISABLE_UTF8_DIR_STR_FLAG = 0x100000 } New-Variable -Option Constant -Name Oid -Value @{ # https://msdn.microsoft.com/en-us/library/windows/desktop/aa379367(v=vs.85).aspx XCN_OID_CRL_DIST_POINTS = '2.5.29.31' XCN_OID_AUTHORITY_INFO_ACCESS = '1.3.6.1.5.5.7.1.1' XCN_OID_ENHANCED_KEY_USAGE = "2.5.29.37" XCN_OID_SUBJECT_ALT_NAME2 = "2.5.29.17" # https://msdn.microsoft.com/en-us/library/windows/desktop/aa378132(v=vs.85).aspx XCN_OID_ANY_APPLICATION_POLICY = "1.3.6.1.4.1.311.10.12.1" XCN_OID_AUTO_ENROLL_CTL_USAGE = "1.3.6.1.4.1.311.20.1" XCN_OID_DRM = "1.3.6.1.4.1.311.10.5.1" XCN_OID_DS_EMAIL_REPLICATION = "1.3.6.1.4.1.311.21.19" XCN_OID_EFS_RECOVERY = "1.3.6.1.4.1.311.10.3.4.1" XCN_OID_EMBEDDED_NT_CRYPTO = "1.3.6.1.4.1.311.10.3.8" XCN_OID_ENROLLMENT_AGENT = "1.3.6.1.4.1.311.20.2.1" XCN_OID_IPSEC_KP_IKE_INTERMEDIATE = "1.3.6.1.5.5.8.2.2" XCN_OID_KP_CA_EXCHANGE = "1.3.6.1.4.1.311.21.5" XCN_OID_KP_CTL_USAGE_SIGNING = "1.3.6.1.4.1.311.10.3.1" XCN_OID_KP_DOCUMENT_SIGNING = "1.3.6.1.4.1.311.10.3.12" XCN_OID_KP_EFS = "1.3.6.1.4.1.311.10.3.4" XCN_OID_KP_KEY_RECOVERY = "1.3.6.1.4.1.311.10.3.11" XCN_OID_KP_KEY_RECOVERY_AGENT = "1.3.6.1.4.1.311.21.6" XCN_OID_KP_LIFETIME_SIGNING = "1.3.6.1.4.1.311.10.3.13" XCN_OID_KP_QUALIFIED_SUBORDINATION = "1.3.6.1.4.1.311.10.3.10" XCN_OID_KP_SMARTCARD_LOGON = "1.3.6.1.4.1.311.20.2.2" XCN_OID_KP_TIME_STAMP_SIGNING = "1.3.6.1.4.1.311.10.3.2" XCN_OID_LICENSE_SERVER = "1.3.6.1.4.1.311.10.6.2" XCN_OID_LICENSES = "1.3.6.1.4.1.311.10.6.1" XCN_OID_NT5_CRYPTO = "1.3.6.1.4.1.311.10.3.7" XCN_OID_OEM_WHQL_CRYPTO = "1.3.6.1.4.1.311.10.3.7" XCN_OID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2" XCN_OID_PKIX_KP_CODE_SIGNING = "1.3.6.1.5.5.7.3.3" XCN_OID_PKIX_KP_EMAIL_PROTECTION = "1.3.6.1.5.5.7.3.4" XCN_OID_PKIX_KP_IPSEC_END_SYSTEM = "1.3.6.1.5.5.7.3.5" XCN_OID_PKIX_KP_IPSEC_TUNNEL = "1.3.6.1.5.5.7.3.6" XCN_OID_PKIX_KP_IPSEC_USER = "1.3.6.1.5.5.7.3.7" XCN_OID_PKIX_KP_OCSP_SIGNING = "1.3.6.1.5.5.7.3.9" XCN_OID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1" XCN_OID_PKIX_KP_TIMESTAMP_SIGNING = "1.3.6.1.5.5.7.3.8" XCN_OID_ROOT_LIST_SIGNER = "1.3.6.1.4.1.311.10.3.9" XCN_OID_WHQL_CRYPTO = "1.3.6.1.4.1.311.10.3.5" # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/nn-certenroll-ix509extensionsmimecapabilities XCN_OID_OIWSEC_desCBC = "1.3.14.3.2.7" XCN_OID_RSA_DES_EDE3_CBC = "1.2.840.113549.3.7" XCN_OID_RSA_RC2CBC = "1.2.840.113549.3.2" XCN_OID_RSA_RC4 = "1.2.840.113549.3.4" XCN_OID_RSA_SMIMEalgCMS3DESwrap = "1.2.840.113549.1.9.16.3.6" XCN_OID_RSA_SMIMEalgCMSRC2wrap = "1.2.840.113549.1.9.16.3.7" XCN_OID_NIST_AES128_CBC = "2.16.840.1.101.3.4.1.2" XCN_OID_NIST_AES192_CBC = "2.16.840.1.101.3.4.1.22" XCN_OID_NIST_AES256_CBC = "2.16.840.1.101.3.4.1.42" XCN_OID_NIST_AES128_WRAP = "2.16.840.1.101.3.4.1.5" XCN_OID_NIST_AES192_WRAP = "2.16.840.1.101.3.4.1.25" XCN_OID_NIST_AES256_WRAP = "2.16.840.1.101.3.4.1.45" # Own Definition XCN_OID_KP_KDC = "1.3.6.1.5.2.3.5" XCN_OID_KP_RDC = "1.3.6.1.4.1.311.54.1.2" XCN_OID_KP_DOCUMENT_ENCRYPTION = "1.3.6.1.4.1.311.80.1" # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-gpnap/a48b02b2-2a10-4eb0-bed4-1807a6d2f5ad md5NoSign = "1.2.840.113549.2.5" sha1NoSign = "1.3.14.3.2.26" sha256NoSign = "2.16.840.1.101.3.4.2.1" sha384NoSign = "2.16.840.1.101.3.4.2.2" sha512NoSign = "2.16.840.1.101.3.4.2.3" } # https://docs.microsoft.com/en-us/windows/win32/api/certcli/nf-certcli-icertrequest2-getfullresponseproperty New-Variable -Option Constant -Name FullResponseProperty -Value @{ FR_PROP_NONE = 0 FR_PROP_FULLRESPONSE = 1 FR_PROP_STATUSINFOCOUNT = 2 FR_PROP_BODYPARTSTRING = 3 FR_PROP_STATUS = 4 FR_PROP_STATUSSTRING = 5 FR_PROP_OTHERINFOCHOICE = 6 FR_PROP_FAILINFO = 7 FR_PROP_PENDINFOTOKEN = 8 FR_PROP_PENDINFOTIME = 9 FR_PROP_ISSUEDCERTIFICATEHASH = 10 FR_PROP_ISSUEDCERTIFICATE = 11 FR_PROP_ISSUEDCERTIFICATECHAIN = 12 FR_PROP_ISSUEDCERTIFICATECRLCHAIN = 13 FR_PROP_ENCRYPTEDKEYHASH = 14 FR_PROP_FULLRESPONSENOPKCS7 = 15 FR_PROP_CAEXCHANGECERTIFICATEHASH = 16 FR_PROP_CAEXCHANGECERTIFICATE = 17 FR_PROP_CAEXCHANGECERTIFICATECHAIN = 18 FR_PROP_CAEXCHANGECERTIFICATECRLCHAIN = 19 FR_PROP_ATTESTATIONCHALLENGE = 20 FR_PROP_ATTESTATIONPROVIDERNAME = 21 } # https://docs.microsoft.com/en-us/windows/win32/api/certcli/nf-certcli-icertrequest-submit # https://docs.microsoft.com/en-us/windows/win32/api/certcli/nf-certcli-icertrequest-getcertificate New-Variable -Option Constant -Name RequestFlags -Value @{ CR_IN_BASE64HEADER = 0 CR_IN_BASE64 = 1 CR_IN_BINARY = 2 CR_IN_ENCODEANY = 0xff CR_OUT_BASE64HEADER = 0 CR_OUT_BASE64 = 1 CR_OUT_BINARY = 2 } # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/ne-certenroll-alternativenametype New-Variable -Option Constant -Name AlternativeNameType -Value @{ XCN_CERT_ALT_NAME_UNKNOWN = 0 XCN_CERT_ALT_NAME_OTHER_NAME = 1 XCN_CERT_ALT_NAME_RFC822_NAME = 2 XCN_CERT_ALT_NAME_DNS_NAME = 3 XCN_CERT_ALT_NAME_DIRECTORY_NAME = 5 XCN_CERT_ALT_NAME_URL = 7 XCN_CERT_ALT_NAME_IP_ADDRESS = 8 XCN_CERT_ALT_NAME_REGISTERED_ID = 9 XCN_CERT_ALT_NAME_GUID = 10 XCN_CERT_ALT_NAME_USER_PRINCIPLE_NAME = 11 } # https://docs.microsoft.com/en-us/windows/win32/api/certcli/nf-certcli-icertrequest-submit New-Variable -Option Constant -Name DispositionType -Value @{ CR_DISP_INCOMPLETE = 0 CR_DISP_ERROR = 1 CR_DISP_DENIED = 2 CR_DISP_ISSUED = 3 CR_DISP_ISSUED_OUT_OF_BAND = 4 CR_DISP_UNDER_SUBMISSION = 5 CR_DISP_REVOKED = 6 } # https://msdn.microsoft.com/en-us/library/windows/desktop/aa374936(v=vs.85).aspx New-Variable -Option Constant -Name EncodingType -Value @{ XCN_CRYPT_STRING_NOCR = [Int]::MinValue XCN_CRYPT_STRING_BASE64HEADER = 0 XCN_CRYPT_STRING_BASE64 = 1 XCN_CRYPT_STRING_BINARY = 2 XCN_CRYPT_STRING_BASE64REQUESTHEADER = 3 XCN_CRYPT_STRING_HEX = 4 XCN_CRYPT_STRING_HEXASCII = 5 XCN_CRYPT_STRING_BASE64_ANY = 6 XCN_CRYPT_STRING_ANY = 7 XCN_CRYPT_STRING_HEX_ANY = 8 XCN_CRYPT_STRING_BASE64X509CRLHEADER = 9 XCN_CRYPT_STRING_HEXADDR = 10 XCN_CRYPT_STRING_HEXASCIIADDR = 11 XCN_CRYPT_STRING_HEXRAW = 12 XCN_CRYPT_STRING_BASE64URI = 13 XCN_CRYPT_STRING_ENCODEMASK = 255 XCN_CRYPT_STRING_CHAIN = 256 XCN_CRYPT_STRING_TEXT = 512 XCN_CRYPT_STRING_PERCENTESCAPE = 134217728 XCN_CRYPT_STRING_HASHDATA = 268435456 XCN_CRYPT_STRING_STRICT = 536870912 XCN_CRYPT_STRING_NOCRLF = 1073741824 } # https://docs.microsoft.com/en-us/windows/win32/api/certpol/ne-certpol-x509scepdisposition New-Variable -Option Constant -Name X509SCEPDisposition -Value @{ SCEPDispositionUnknown = -1 SCEPDispositionSuccess = 0 SCEPDispositionFailure = 2 SCEPDispositionPending = 3 SCEPDispositionPendingChallenge = 11 } # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/ne-certenroll-x509privatekeyverify New-Variable -Option Constant -Name X509PrivateKeyVerify -Value @{ VerifyNone = 0 VerifySilent = 1 VerifySmartCardNone = 2 VerifySmartCardSilent = 4 VerifyAllowUI = 8 } # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/ne-certenroll-algorithmflags New-Variable -Option Constant -Name AlgorithmFlags -Value @{ AlgorithmFlagsNone = 0 AlgorithmFlagsWrap = 1 } # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/ne-certenroll-installresponserestrictionflags New-Variable -Option Constant -Name InstallResponseRestrictionFlags -Value @{ AllowNone = 0 AllowNoOutstandingRequest = 1 AllowUntrustedCertificate = 2 AllowUntrustedRoot = 4 } # https://docs.microsoft.com/en-us/windows/win32/api/certcli/ne-certcli-x509enrollmentauthflags # https://docs.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.x509enrollmentauthflags # https://gist.github.com/ctkirkman/77729328070ee1e1057fa1e2a64121a5 New-Variable -Option Constant -Name X509EnrollmentAuthFlags -Value @{ X509AuthNone = 0 X509AuthAnonymous = 1 X509AuthKerberos = 2 X509AuthUsername = 4 X509AuthCertificate = 8 } # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/ne-certenroll-x509certificateenrollmentcontext New-Variable -Option Constant -Name X509CertificateEnrollmentContext -Value @{ ContextNone = 0 ContextUser = 1 ContextMachine = 2 ContextAdministratorForceMachine = 3 } # https://docs.microsoft.com/en-us/windows/win32/api/certenroll/nf-certenroll-ix509certificaterequestpkcs10-initializefromcertificate New-Variable -Option Constant -Name X509RequestInheritOptions -Value @{ InheritDefault = 0x00000000 InheritRenewalCertificateFlag = 0x00000020 InheritTemplateFlag = 0x00000040 InheritSubjectFlag = 0x00000080 InheritExtensionsFlag = 0x00000100 InheritSubjectAltNameFlag = 0x00000200 } # https://tools.ietf.org/html/draft-nourse-scep-23#section-3.1.1.4 New-Variable -Option Constant -Name SCEPFailInfo -Value @( @{ Code = 0 Message = "badAlg" Description = "Unrecognized or unsupported algorithm identifier" } @{ Code = 1 Message = "badMessageCheck" Description = "integrity check failed" } @{ Code = 2 Message = "badRequest" Description = "transaction not permitted or supported" } @{ Code = 3 Message = "badTime" Description = "The signingTime attribute from the PKCS#7 authenticatedAttributes was not sufficiently close to the system time." } @{ Code = 4 Message = "badCertId" Description = "No certificate could be identified matching the provided criteria." } ) # Built from the Error Codes I observed whilst testing Get-NDESCertificate # Stored as String as this gets compared against a text that is returned from the API New-Variable -Option Constant -Name NDESErrorCode -Value @{ CERT_E_WRONG_USAGE = "0x800b0110" TRUST_E_CERT_SIGNATURE = "0x80096004" ERROR_NOT_FOUND = "0x80070490" CERTSRV_E_BAD_REQUESTSUBJECT = "0x80094001" RPC_S_SERVER_UNAVAILABLE = "0x800706ba" } # https://msdn.microsoft.com/en-us/library/windows/desktop/aa378132(v=vs.85).aspx New-Variable -Option Constant -Name EkuNameToOidTable -Value @{ EnrollmentAgent = $Oid.XCN_OID_ENROLLMENT_AGENT ClientAuthentication = $Oid.XCN_OID_PKIX_KP_CLIENT_AUTH CodeSigning = $Oid.XCN_OID_PKIX_KP_CODE_SIGNING LifeTimeSigning = $Oid.XCN_OID_KP_LIFETIME_SIGNING DocumentSigning = $Oid.XCN_OID_KP_DOCUMENT_SIGNING DocumentEncryption = $Oid.XCN_OID_KP_DOCUMENT_ENCRYPTION EncryptingFileSystem = $Oid.XCN_OID_KP_EFS FileRecovery = $Oid.XCN_OID_EFS_RECOVERY IPSecEndSystem = $Oid.XCN_OID_PKIX_KP_IPSEC_END_SYSTEM IPSecIKEIntermediate = $Oid.XCN_OID_IPSEC_KP_IKE_INTERMEDIATE IPSecTunnelEndpoint = $Oid.XCN_OID_PKIX_KP_IPSEC_TUNNEL IPSecUser = $Oid.XCN_OID_PKIX_KP_IPSEC_USER KeyRecovery = $Oid.XCN_OID_KP_KEY_RECOVERY KDCAuthentication = $Oid.XCN_OID_KP_KDC SecureEmail = $Oid.XCN_OID_PKIX_KP_EMAIL_PROTECTION ServerAuthentication = $Oid.XCN_OID_PKIX_KP_SERVER_AUTH SmartCardLogon = $Oid.XCN_OID_KP_SMARTCARD_LOGON TimeStamping = $Oid.XCN_OID_PKIX_KP_TIMESTAMP_SIGNING OCSPSigning = $Oid.XCN_OID_PKIX_KP_OCSP_SIGNING RemoteDesktopAuthentication = $Oid.XCN_OID_KP_RDC PrivateKeyArchival = $Oid.XCN_OID_KP_CA_EXCHANGE } New-Variable -Option Constant -Name SmimeCapabilityToOidTable -Value @{ des = $Oid.XCN_OID_OIWSEC_desCBC des3 = $Oid.XCN_OID_RSA_DES_EDE3_CBC rc2 = $Oid.XCN_OID_RSA_RC2CBC rc4 = $Oid.XCN_OID_RSA_RC4 des3wrap = $Oid.XCN_OID_RSA_SMIMEalgCMS3DESwrap rc2wrap = $Oid.XCN_OID_RSA_SMIMEalgCMSRC2wrap aes128 = $Oid.XCN_OID_NIST_AES128_CBC aes192 = $Oid.XCN_OID_NIST_AES192_CBC aes256 = $Oid.XCN_OID_NIST_AES256_CBC aes128wrap = $Oid.XCN_OID_NIST_AES128_WRAP aes192wrap = $Oid.XCN_OID_NIST_AES192_WRAP aes256wrap = $Oid.XCN_OID_NIST_AES256_WRAP md5 = $Oid.md5noSign sha1 = $Oid.sha1noSign sha256 = $Oid.sha256noSign sha384 = $Oid.sha384noSign sha512 = $Oid.sha512noSign } $ModuleRoot = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent # Import Public Functions . $ModuleRoot\Functions\Get-NDESOTP.ps1 . $ModuleRoot\Functions\Get-NDESCertificate.ps1 . $ModuleRoot\Functions\Get-KeyStorageProvider.ps1 . $ModuleRoot\Functions\Get-IssuedCertificate.ps1 . $ModuleRoot\Functions\New-CertificateRequest.ps1 . $ModuleRoot\Functions\New-SignedCertificateRequest.ps1 . $ModuleRoot\Functions\Install-IssuedCertificate.ps1 . $ModuleRoot\Functions\Undo-CertificateArchival.ps1 . $ModuleRoot\Functions\Get-RemoteDesktopCertificate.ps1 . $ModuleRoot\Functions\Set-RemoteDesktopCertificate.ps1 # Import Private Functions . $ModuleRoot\Functions\Convert-DERToBASE64.ps1 . $ModuleRoot\Functions\Convert-StringToCertificateSerialNumber.ps1 . $ModuleRoot\Functions\Convert-StringToDER.ps1 . $ModuleRoot\Functions\Convert-StringToHex.ps1 . $ModuleRoot\Functions\Get-Asn1LengthOctets.ps1 . $ModuleRoot\Functions\Get-CertificateHash.ps1 . $ModuleRoot\Functions\New-AiaExtension.ps1 . $ModuleRoot\Functions\New-CdpExtension.ps1 # SIG # Begin signature block # MIIfUQYJKoZIhvcNAQcCoIIfQjCCHz4CAQExCzAJBgUrDgMCGgUAMGkGCisGAQQB # gjcCAQSgWzBZMDQGCisGAQQBgjcCAR4wJgIDAQAABBAfzDtgWUsITrck0sYpfvNR # AgEAAgEAAgEAAgEAAgEAMCEwCQYFKw4DAhoFAAQUQ2L3d3LXdpWtZMQHfUEHIypN # xfWgghk4MIIFQDCCBCigAwIBAgIRAI8ql/xeLmzwWijNkBrZWykwDQYJKoZIhvcN # AQELBQAwfDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3Rl # cjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSQw # IgYDVQQDExtTZWN0aWdvIFJTQSBDb2RlIFNpZ25pbmcgQ0EwHhcNMjAxMTIwMDAw # MDAwWhcNMjMxMTIwMjM1OTU5WjCBhzELMAkGA1UEBhMCREUxDjAMBgNVBBEMBTkx # NjAyMR0wGwYDVQQHDBREw7xycndhbmdlbiBIYWxzYmFjaDEVMBMGA1UECQwMV2Vp # aGVyd2VnIDE1MRgwFgYDVQQKDA9Vd2UgR3JhZGVuZWdnZXIxGDAWBgNVBAMMD1V3 # ZSBHcmFkZW5lZ2dlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOd8 # GJf9qC1WQbcxgVa4XpKLzh/oy12qkfG3K11BLRs2UuZoZXelefKJYirHWpzNlhkb # RoGv3sNUCgKpRDtyz1kHf+jvk+nsB9SCctMccmb987BA8kq/togGWjqlHcQFfETr # lv3zxiQkd560Ttrx9OO8/mgIvUubGW4jttet+AUV8PeHJeCQKwetoEn3obcgqjua # AS41nc/f+NaX6wkD8iKGpXy+CrHbflhACasvUychBf/BlmxsZKP8sf6dZNN0I7TU # 9kjO5A8NiWAp7J9oTz0tfKuHGurGaqlAMQUJdD9RNDzsz+CN1w/LjbkhfJawnoI8 # XR7g8nIBOH2df+YImPUCAwEAAaOCAa8wggGrMB8GA1UdIwQYMBaAFA7hOqhTOjHV # ir7Bu61nGgOFrTQOMB0GA1UdDgQWBBQpnALCRSXWP6gLMr77GCxcPejdmjAOBgNV # HQ8BAf8EBAMCB4AwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDAzAR # BglghkgBhvhCAQEEBAMCBBAwSgYDVR0gBEMwQTA1BgwrBgEEAbIxAQIBAwIwJTAj # BggrBgEFBQcCARYXaHR0cHM6Ly9zZWN0aWdvLmNvbS9DUFMwCAYGZ4EMAQQBMEMG # A1UdHwQ8MDowOKA2oDSGMmh0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1JT # QUNvZGVTaWduaW5nQ0EuY3JsMHMGCCsGAQUFBwEBBGcwZTA+BggrBgEFBQcwAoYy # aHR0cDovL2NydC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBQ29kZVNpZ25pbmdDQS5j # cnQwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLnNlY3RpZ28uY29tMB0GA1UdEQQW # MBSBEnV3ZUBncmFkZW5lZ2dlci5ldTANBgkqhkiG9w0BAQsFAAOCAQEAhEOjCx9s # SaMpTP9RFRnJx8dcn0eDdCk6TGZlB3gyh24VWu+VECUXd/1svZJ6apPDRpz2kvFz # TlIEfAORKDuXY72X6eCS7VFTjNvEyNFPmr67T6JUB7Qka6W9dpAqhufxOQ0DRS/a # kytP3J4JF0BYiZ3IxfgAH1ji/uXuMyD1jFSWsDyhSMk+O0ugYw+TaKb4j8XCWN7k # N8uVhaqXmDFi9XKTKQturbxEG3nCSxludZt5fDImj7cYnorhI3vGKZSXQTjgQ1Tv # jUyb4YjoToTNjZ6fz3HamALoi6QHL9npHB6ekLLwVsUW8G9t5o54tQ4qbngap/fB # Qk0JDQ0C2+ikbjCCBfUwggPdoAMCAQICEB2iSDBvmyYY0ILgln0z02owDQYJKoZI # hvcNAQEMBQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQw # EgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3 # b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9y # aXR5MB4XDTE4MTEwMjAwMDAwMFoXDTMwMTIzMTIzNTk1OVowfDELMAkGA1UEBhMC # R0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y # ZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSQwIgYDVQQDExtTZWN0aWdvIFJT # QSBDb2RlIFNpZ25pbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQCGIo0yhXoYn0nwli9jCB4t3HyfFM/jJrYlZilAhlRGdDFixRDtsocnppnLlTDA # VvWkdcapDlBipVGREGrgS2Ku/fD4GKyn/+4uMyD6DBmJqGx7rQDDYaHcaWVtH24n # lteXUYam9CflfGqLlR5bYNV+1xaSnAAvaPeX7Wpyvjg7Y96Pv25MQV0SIAhZ6DnN # j9LWzwa0VwW2TqE+V2sfmLzEYtYbC43HZhtKn52BxHJAteJf7wtF/6POF6YtVbC3 # sLxUap28jVZTxvC6eVBJLPcDuf4vZTXyIuosB69G2flGHNyMfHEo8/6nxhTdVZFu # ihEN3wYklX0Pp6F8OtqGNWHTAgMBAAGjggFkMIIBYDAfBgNVHSMEGDAWgBRTeb9a # qitKz1SA4dibwJ3ysgNmyzAdBgNVHQ4EFgQUDuE6qFM6MdWKvsG7rWcaA4WtNA4w # DgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYI # KwYBBQUHAwMGCCsGAQUFBwMIMBEGA1UdIAQKMAgwBgYEVR0gADBQBgNVHR8ESTBH # MEWgQ6BBhj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2Vy # dGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUF # BzAChjNodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1 # c3RDQS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20w # DQYJKoZIhvcNAQEMBQADggIBAE1jUO1HNEphpNveaiqMm/EAAB4dYns61zLC9rPg # Y7P7YQCImhttEAcET7646ol4IusPRuzzRl5ARokS9At3WpwqQTr81vTr5/cVlTPD # oYMot94v5JT3hTODLUpASL+awk9KsY8k9LOBN9O3ZLCmI2pZaFJCX/8E6+F0ZXkI # 9amT3mtxQJmWunjxucjiwwgWsatjWsgVgG10Xkp1fqW4w2y1z99KeYdcx0BNYzX2 # MNPPtQoOCwR/oEuuu6Ol0IQAkz5TXTSlADVpbL6fICUQDRn7UJBhvjmPeo5N9p8O # Hv4HURJmgyYZSJXOSsnBf/M6BZv5b9+If8AjntIeQ3pFMcGcTanwWbJZGehqjSkE # And8S0vNcL46slVaeD68u28DECV3FTSK+TbMQ5Lkuk/xYpMoJVcp+1EZx6ElQGqE # V8aynbG8HArafGd+fS7pKEwYfsR7MUFxmksp7As9V1DSyt39ngVR5UR43QHesXWY # DVQk/fBO4+L4g71yuss9Ou7wXheSaG3IYfmm8SoKC6W59J7umDIFhZ7r+YMp08Ys # fb06dy6LN0KgaoLtO0qqlBCk4Q34F8W2WnkzGJLjtXX4oemOCiUe5B7xn1qHI/+f # pFGe+zmAEc3btcSnqIBv5VPU4OOiwtJbGvoyJi1qV3AcPKRYLqPzW0sH3DJZ84en # Gm1YMIIG7DCCBNSgAwIBAgIQMA9vrN1mmHR8qUY2p3gtuTANBgkqhkiG9w0BAQwF # ADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcT # C0plcnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAs # BgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcN # MTkwNTAyMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjB9MQswCQYDVQQGEwJHQjEbMBkG # A1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxmb3JkMRgwFgYD # VQQKEw9TZWN0aWdvIExpbWl0ZWQxJTAjBgNVBAMTHFNlY3RpZ28gUlNBIFRpbWUg # U3RhbXBpbmcgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDIGwGv # 2Sx+iJl9AZg/IJC9nIAhVJO5z6A+U++zWsB21hoEpc5Hg7XrxMxJNMvzRWW5+adk # FiYJ+9UyUnkuyWPCE5u2hj8BBZJmbyGr1XEQeYf0RirNxFrJ29ddSU1yVg/cyeNT # mDoqHvzOWEnTv/M5u7mkI0Ks0BXDf56iXNc48RaycNOjxN+zxXKsLgp3/A2UUrf8 # H5VzJD0BKLwPDU+zkQGObp0ndVXRFzs0IXuXAZSvf4DP0REKV4TJf1bgvUacgr6U # nb+0ILBgfrhN9Q0/29DqhYyKVnHRLZRMyIw80xSinL0m/9NTIMdgaZtYClT0Bef9 # Maz5yIUXx7gpGaQpL0bj3duRX58/Nj4OMGcrRrc1r5a+2kxgzKi7nw0U1BjEMJh0 # giHPYla1IXMSHv2qyghYh3ekFesZVf/QOVQtJu5FGjpvzdeE8NfwKMVPZIMC1Pvi # 3vG8Aij0bdonigbSlofe6GsO8Ft96XZpkyAcSpcsdxkrk5WYnJee647BeFbGRCXf # BhKaBi2fA179g6JTZ8qx+o2hZMmIklnLqEbAyfKm/31X2xJ2+opBJNQb/HKlFKLU # rUMcpEmLQTkUAx4p+hulIq6lw02C0I3aa7fb9xhAV3PwcaP7Sn1FNsH3jYL6uckN # U4B9+rY5WDLvbxhQiddPnTO9GrWdod6VQXqngwIDAQABo4IBWjCCAVYwHwYDVR0j # BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFBqh+GEZIA/DQXdF # KI7RNV8GEgRVMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMBMG # A1UdJQQMMAoGCCsGAQUFBwMIMBEGA1UdIAQKMAgwBgYEVR0gADBQBgNVHR8ESTBH # MEWgQ6BBhj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2Vy # dGlmaWNhdGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUF # BzAChjNodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1 # c3RDQS5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20w # DQYJKoZIhvcNAQEMBQADggIBAG1UgaUzXRbhtVOBkXXfA3oyCy0lhBGysNsqfSoF # 9bw7J/RaoLlJWZApbGHLtVDb4n35nwDvQMOt0+LkVvlYQc/xQuUQff+wdB+PxlwJ # +TNe6qAcJlhc87QRD9XVw+K81Vh4v0h24URnbY+wQxAPjeT5OGK/EwHFhaNMxcyy # UzCVpNb0llYIuM1cfwGWvnJSajtCN3wWeDmTk5SbsdyybUFtZ83Jb5A9f0VywRsj # 1sJVhGbks8VmBvbz1kteraMrQoohkv6ob1olcGKBc2NeoLvY3NdK0z2vgwY4Eh0k # hy3k/ALWPncEvAQ2ted3y5wujSMYuaPCRx3wXdahc1cFaJqnyTdlHb7qvNhCg0MF # pYumCf/RoZSmTqo9CfUFbLfSZFrYKiLCS53xOV5M3kg9mzSWmglfjv33sVKRzj+J # 9hyhtal1H3G/W0NdZT1QgW6r8NDT/LKzH7aZlib0PHmLXGTMze4nmuWgwAxyh8Fu # TVrTHurwROYybxzrF06Uw3hlIDsPQaof6aFBnf6xuKBlKjTg3qj5PObBMLvAoGMs # /FwWAKjQxH/qEZ0eBsambTJdtDgJK0kHqv3sMNrxpy/Pt/360KOE2See+wFmd7lW # EOEgbsausfm2usg1XTN2jvF8IAwqd661ogKGuinutFoAsYyr4/kKyVRd1LlqdJ69 # SK6YMIIHBzCCBO+gAwIBAgIRAIx3oACP9NGwxj2fOkiDjWswDQYJKoZIhvcNAQEM # BQAwfTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQ # MA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSUwIwYD # VQQDExxTZWN0aWdvIFJTQSBUaW1lIFN0YW1waW5nIENBMB4XDTIwMTAyMzAwMDAw # MFoXDTMyMDEyMjIzNTk1OVowgYQxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVh # dGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3Rp # Z28gTGltaXRlZDEsMCoGA1UEAwwjU2VjdGlnbyBSU0EgVGltZSBTdGFtcGluZyBT # aWduZXIgIzIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCRh0ssi8Hx # HqCe0wfGAcpSsL55eV0JZgYtLzV9u8D7J9pCalkbJUzq70DWmn4yyGqBfbRcPlYQ # gTU6IjaM+/ggKYesdNAbYrw/ZIcCX+/FgO8GHNxeTpOHuJreTAdOhcxwxQ177MPZ # 45fpyxnbVkVs7ksgbMk+bP3wm/Eo+JGZqvxawZqCIDq37+fWuCVJwjkbh4E5y8O3 # Os2fUAQfGpmkgAJNHQWoVdNtUoCD5m5IpV/BiVhgiu/xrM2HYxiOdMuEh0FpY4G8 # 9h+qfNfBQc6tq3aLIIDULZUHjcf1CxcemuXWmWlRx06mnSlv53mTDTJjU67MximK # IMFgxvICLMT5yCLf+SeCoYNRwrzJghohhLKXvNSvRByWgiKVKoVUrvH9Pkl0dPyO # rj+lcvTDWgGqUKWLdpUbZuvv2t+ULtka60wnfUwF9/gjXcRXyCYFevyBI19UCTgq # YtWqyt/tz1OrH/ZEnNWZWcVWZFv3jlIPZvyYP0QGE2Ru6eEVYFClsezPuOjJC77F # hPfdCp3avClsPVbtv3hntlvIXhQcua+ELXei9zmVN29OfxzGPATWMcV+7z3oUX5x # rSR0Gyzc+Xyq78J2SWhi1Yv1A9++fY4PNnVGW5N2xIPugr4srjcS8bxWw+StQ8O3 # ZpZelDL6oPariVD6zqDzCIEa0USnzPe4MQIDAQABo4IBeDCCAXQwHwYDVR0jBBgw # FoAUGqH4YRkgD8NBd0UojtE1XwYSBFUwHQYDVR0OBBYEFGl1N3u7nTVCTr9X05rb # nwHRrt7QMA4GA1UdDwEB/wQEAwIGwDAMBgNVHRMBAf8EAjAAMBYGA1UdJQEB/wQM # MAoGCCsGAQUFBwMIMEAGA1UdIAQ5MDcwNQYMKwYBBAGyMQECAQMIMCUwIwYIKwYB # BQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMEQGA1UdHwQ9MDswOaA3oDWG # M2h0dHA6Ly9jcmwuc2VjdGlnby5jb20vU2VjdGlnb1JTQVRpbWVTdGFtcGluZ0NB # LmNybDB0BggrBgEFBQcBAQRoMGYwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQuc2Vj # dGlnby5jb20vU2VjdGlnb1JTQVRpbWVTdGFtcGluZ0NBLmNydDAjBggrBgEFBQcw # AYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wDQYJKoZIhvcNAQEMBQADggIBAEoD # eJBCM+x7GoMJNjOYVbudQAYwa0Vq8ZQOGVD/WyVeO+E5xFu66ZWQNze93/tk7OWC # t5XMV1VwS070qIfdIoWmV7u4ISfUoCoxlIoHIZ6Kvaca9QIVy0RQmYzsProDd6aC # ApDCLpOpviE0dWO54C0PzwE3y42i+rhamq6hep4TkxlVjwmQLt/qiBcW62nW4SW9 # RQiXgNdUIChPynuzs6XSALBgNGXE48XDpeS6hap6adt1pD55aJo2i0OuNtRhcjwO # hWINoF5w22QvAcfBoccklKOyPG6yXqLQ+qjRuCUcFubA1X9oGsRlKTUqLYi86q50 # 1oLnwIi44U948FzKwEBcwp/VMhws2jysNvcGUpqjQDAXsCkWmcmqt4hJ9+gLJTO1 # P22vn18KVt8SscPuzpF36CAT6Vwkx+pEC0rmE4QcTesNtbiGoDCni6GftCzMwBYj # yZHlQgNLgM7kTeYqAT7AXoWgJKEXQNXb2+eYEKTx6hkbgFT6R4nomIGpdcAO39Bo # lHmhoJ6OtrdCZsvZ2WsvTdjePjIeIOTsnE1CjZ3HM5mCN0TUJikmQI54L7nu+i/x # 8Y/+ULh43RSW3hwOcLAqhWqxbGjpKuQQK24h/dN8nTfkKgbWw/HXaONPB3mBCBP+ # smRe6bE85tB4I7IJLOImYr87qZdRzMdEMoGyr8/fMYIFgzCCBX8CAQEwgZEwfDEL # MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UE # BxMHU2FsZm9yZDEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMSQwIgYDVQQDExtT # ZWN0aWdvIFJTQSBDb2RlIFNpZ25pbmcgQ0ECEQCPKpf8Xi5s8FoozZAa2VspMAkG # BSsOAwIaBQCgeDAYBgorBgEEAYI3AgEMMQowCKACgAChAoAAMBkGCSqGSIb3DQEJ # AzEMBgorBgEEAYI3AgEEMBwGCisGAQQBgjcCAQsxDjAMBgorBgEEAYI3AgEVMCMG # CSqGSIb3DQEJBDEWBBSgAytICidqngqnhOPaZyEJLQzO0DANBgkqhkiG9w0BAQEF # AASCAQB/H9iZ6O5/HDh7W2raDb2rzf7W7Hrzy16HvddpY5QGGra3PoK5wNrz/RTM # QJ9nv0DoPJl1d0Zj+LgD58PLVOiLwNP8dKkqpp6sywQPaXN8InUkTKly/qZfrYkv # WJCy7jC/OpX0GqHWG+q/C+4kocGTQ17iVVYnHUZLoCTo6C2nVZ8KPoVIt50wVsso # v7Cf0aieLMLc9RExSOOcyjKHYtyov6+b4G7DSdqHRx7/ER95zUQ9HPv082lgQt6z # Sv6Aj+0aV9W6FeTjvN6ocUSPD/0ORDLLBueP773LqEAGvs3DJtoBY2WqMoc+Qon7 # ZWhF9pW7jYdIJEX7huvolcp4y+FvoYIDTDCCA0gGCSqGSIb3DQEJBjGCAzkwggM1 # AgEBMIGSMH0xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0 # ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDEl # MCMGA1UEAxMcU2VjdGlnbyBSU0EgVGltZSBTdGFtcGluZyBDQQIRAIx3oACP9NGw # xj2fOkiDjWswDQYJYIZIAWUDBAICBQCgeTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN # AQcBMBwGCSqGSIb3DQEJBTEPFw0yMTA1MDYxMTQ2MjdaMD8GCSqGSIb3DQEJBDEy # BDCVvvMaFUyupz7MfxrwgmCnAClfvKGnnSKGNVDamSodrJXpr/bTLgkSermuXyUn # PrEwDQYJKoZIhvcNAQEBBQAEggIAEFTgUzD3S1nDexJFzEpRUo+k+Vvqy82Q1XrB # 5vD/9lc2P9kiWUWn4qOOo7GgyyRnQV7u6IpLNhvjt+tWngIZ60yF6zZARGq3R5WM # LK2tymEBFXZ4YzPriputc0DSCpqVxEnaD/nlJNOQUOcdv9AEuHhmaHxFL4bg8bHs # fRVF3Lu3CStQp40bFl7cKwJUlGl6O+nzzxBzeTyjxR+1k9aiRKuDwYuVqzHVzIVc # zez34RQCxEYR6hrFGCvw7VPM+EscPk9TTvL/kStJnzht0Z2C2gWzf0ei57RkhX3S # 72L/UhZK3tzlOhy/3wIQ5k94WuJu2esltcbVFImkplyDSJDWPy/TFJ5VmgCN7dvf # qZ/0hgaVk4/F1q/IPArszj2/vqZWM8ZNaaoG7E+Qtr7o+TUqJdcIFi/nzTQHXzCe # XsvTcfTb9sQBxmIbHAghInB0tfP088jRmUzCYKyrJHKESKXCqY/eY4ilWsCs5mWa # W486UTqMvlMsswEztDeoLL4o+JjrA7Dm/7y3VBXhxbC+t9fXnKeWR0MzhwsjIO6i # HRysoSr9lqzPA2jawb5HdR+Sjr5N1lL/aCAQHuFWXDAmR7tJ3qwpxYp5wxE0Hop+ # M3QCoyPpUjOJN3IlWyzjzQQptJQSmG37tUQ6jzwwGOQVRcNZvmeOlTLxlZnxXKzj # BAnWh7U= # SIG # End signature block |